-
Notifications
You must be signed in to change notification settings - Fork 11
BabelGladeExtractor 0.7.0
Cory Francis Myers edited this page Oct 13, 2023
·
2 revisions
According to https://libraries.io/pypi/BabelGladeExtractor, BabelGladeExtractor has had 11 releases between 20 July 2007 and 17 January 2020.
BabelGladeExtractor is part of the GNOME Keysign project.
Bandit finds no high-priority issues:
(.venv) user@sd-dev:~/securedrop/BabelGladeExtractor-0.7.0$ bandit -r babelglade -x babelglade/tests/
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.9.2
Run started:2023-10-13 00:11:15.423749
Test results:
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: babelglade/extract.py:17
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
16
17 import xml.etree.ElementTree as etree
18
19
20 def extract_glade(fileobj, keywords, comment_tags, options):
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
Location: babelglade/extract.py:59
More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html
58 for event, elem in parser.read_events():
59 assert event == "end"
60 translatable_attr = elem.attrib.get("translatable", "no")
--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: babelglade/translate.py:5
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
4 import os
5 import xml.etree.ElementTree as etree
6
7 from babel.messages.pofile import read_po
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
Location: babelglade/translate.py:57
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
56 catalogs = get_catalogs(localedir)
57 tree = etree.parse(infile)
58 root = tree.getroot()
--------------------------------------------------
Code scanned:
Total lines of code: 159
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 3.0
Medium: 1.0
High: 0.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 4.0
Files skipped (0):We don't use BabelGladeExtractor with any XML inputs.
According to https://libraries.io/pypi/pytz, BabelGladeExtractor is a dependency of 1 package and 3 repositories (as of this review).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Reviewed from:
bcf805e28b4bb18c8b6909a65a7cf5c7c2bcbf4ae50b164878c9682d22271798 BabelGladeExtractor-0.7.0.tar.bz2
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETASaYTBMr1LMpavPW6rc/l76p9EFAmUoiXYACgkQW6rc/l76
p9HkZg//YUGsO4DOVty4GyLZOqABbolsmUmLCBOfLy79SK0uNqNQaBCq4JzJeDSi
3cY6KwVtBJuQdjwTnR+nnfS2GYYEoEJPr19je6LDhCheadXI5k6TED0Vwvo9FfGQ
6TWigIAPIlHUo0UntEVJwrzVbvxC/y1oi1c0DthrK/qTITEr7Itc/UqNgybMqChl
gYElqJhL6pvZdpwTDfCCemngF/B7rtn6qtOI8nio8II1omSCtoavoNc3nRDNnsWo
ePjK+sDQCciflPXp1yn9lLLfIV7tQv3G1w3vXq9GeHEmhB9SNrRGQ9QTOaUxXiNW
8vSFyRWthIF2lSy4HA6n4qZhwRh/o2rmZRSnWJnEJmJXCiijotaBhCxHcBa8IRFA
yhr/VVZ99spXvEKG7hBUC+glK04n4buen839Q96OQkJRZQZOfRNUBuySJYkmGf9g
MTw8HxkYfsf8Bd3nQCC2thYwec5bgI34zHxmFikEblvsZqc4Z/Szt55kwX6bdgqf
1GvY66zJsGWXmxW1yHvPyDqZWTdzDlkXXqQPokmdja43Cm4MafGrjXHv8Mkwm8pB
qnk07XwhWehkIuxV3pa3+uqMLoH2jm9srqcCJ7JMT2p/lGayh1Lghi7u3Cc1BeUG
fQw4Jh4+jF66bldmWl62OKtrEbUDs6Mblw1x48syQH/1RAqs4dE=
=PYs5
-----END PGP SIGNATURE-----